Taming systemd-resolved: Avoiding DNS Leaks and Surprises with Split DNS Configurations

Introduction to systemd-resolved

I’ve worked with Linux systems for years, and one thing that’s become increasingly important is DNS resolution. systemd-resolved is a DNS resolver component of the systemd suite, designed to provide a flexible and secure way to resolve domain names. It was introduced in systemd version 216, released in 2015, and has since become a standard component in many Linux distributions. By default, systemd-resolved uses a split DNS configuration, which can sometimes lead to DNS leaks and unexpected behavior. I’ve seen this go wrong when a system has multiple network interfaces or connections, each with its own DNS resolver configuration.

Understanding Split DNS Configurations

A split DNS configuration is used when a system has multiple network interfaces or connections, each with its own DNS resolver configuration. This can happen when a laptop is connected to both a wired Ethernet network and a wireless network, or when a system is connected to a VPN. In such cases, systemd-resolved will use the DNS resolver configuration from each interface, which can lead to DNS leaks if not properly configured. The real trick is to understand how systemd-resolved handles split DNS configurations. By default, systemd-resolved will use the DNS resolver configuration from the interface with the highest priority. This priority is determined by the DNS setting in the network interface configuration file, usually located in /etc/systemd/network/.

Configuring systemd-resolved

To configure systemd-resolved, you can use the resolvectl command-line tool. This tool allows you to query and modify the DNS resolver configuration, as well as troubleshoot DNS issues. I usually start with the resolvectl status command to list all DNS resolver configurations:

resolvectl status

This will display a list of all DNS resolver configurations, including the interface name, DNS server IP addresses, and the DNS search domains. To modify the DNS resolver configuration for a specific interface, you can use the resolvectl command with the dns option. For example:

resolvectl dns eth0 8.8.8.8 8.8.4.4

This will set the DNS server IP addresses for the eth0 interface to 8.8.8.8 and 8.8.4.4.

Avoiding DNS Leaks

To avoid DNS leaks, it’s essential to ensure that all network interfaces use the same DNS resolver configuration. You can achieve this by setting the DNS setting in the network interface configuration file to the same value for all interfaces. For example, you can add the following lines to the /etc/systemd/network/eth0.network file:

[Match]
Name=eth0

[Network]
DNS=8.8.8.8 8.8.4.4

This will set the DNS server IP addresses for the eth0 interface to 8.8.8.8 and 8.8.4.4. Don’t bother with setting up individual configurations for each interface - it’s easier to just set a global configuration.

Troubleshooting DNS Issues

If you encounter DNS issues, you can use the resolvectl command to troubleshoot the problem. For example, to query the DNS resolver configuration for a specific domain, you can use the following command:

resolvectl query example.com

This will display the DNS resolver configuration for the example.com domain, including the DNS server IP addresses and the DNS search domains. You can also use the resolvectl command to test the DNS resolver configuration. For example:

resolvectl test example.com

This will test the DNS resolver configuration for the example.com domain and display the results.

Security Considerations

When configuring systemd-resolved, it’s essential to consider security implications. For example, using a public DNS service like Google Public DNS or Cloudflare DNS can provide additional security features like DNS over HTTPS (DoH) or DNS over TLS (DoT). To enable DoH or DoT, you can add the following lines to the /etc/systemd/resolved.conf file:

[Resolve]
DNSOverHTTPS=yes
DNSOverTLS=yes

This will enable DoH and DoT for all DNS queries. This is where people usually get burned - forgetting to enable these features can leave your system vulnerable to DNS-based attacks.

For more information on systemd-resolved and its configuration options, you can refer to the systemd-resolved documentation on the freedesktop.org website, or the Arch Linux wiki for more information on configuring systemd-resolved on Arch Linux systems.

Further Reading

In practice, configuring systemd-resolved is all about understanding split DNS configurations and using the resolvectl command-line tool. By following the steps outlined in this article, you can ensure that your system uses a secure and reliable DNS resolver configuration. For further reading, check out the systemd documentation on the freedesktop.org website.

See also

• Using systemd to Manage and Rotate Log Files Without Running Out of Disk Space
• Taming systemd-resolved: Tips for Troubleshooting and Customizing DNS Resolution on Linux
• Using rsync and systemd to Automate Offsite Backups of Selected Config Files and User Data
• Troubleshooting Broken Dependencies After Adding a Third-Party Repository
• Using jq to Parse and Manipulate JSON Logs from systemd-journald